The Safe Harbor pact allowed U.S. companies to
"self-certify" that they were abiding by strict privacy safeguards
while pulling data from European servers. (Photo: Intel Free Press/flickr/cc)

Europe's top court on Tuesday delivered a historic blow to mass
surveillance with a ruling that found the right to personal privacy trumps
government spying.

The European Court of Justice (ECJ) found in its decision
(pdf) that the so-called "Safe Harbor" agreement, which allowed U.S.
companies to "self-certify" that they met strict privacy safeguards
while pulling data from European servers, "must be regarded as compromising
the essence of the fundamental right to respect for private life" as
guaranteed by the European Convention on Human Rights.

The case was brought by Austrian privacy activist Max Schrems,
who argued that American surveillance operations such as PRISM—exposed by
National Security Agency (NSA) whistleblower Edward Snowden in 2013—rendered
useless the privacy safeguards in the Safe Harbor agreement, which for years
has allowed technology companies to transfer user data across continental
boundaries.

Tuesday's ruling was celebrated widely by privacy advocates,
including Snowden himself, who toasted
Schrems on Twitter, writing, "Congratulations, @MaxSchrems. You've changed the
world for the better."

The bottom line, Snowden said, is that "the #SafeHarbor ruling
indicates the indiscriminate interception of communications is a violation of
rights."

The ECJ's ruling means companies in the U.S. and EU have to come
up with alternative ways of transferring user data—and could impact as many as
4,000 firms, including tech giants like Facebook and Google.

Jens Henrik-Jeppesen, director of European Affairs at the Center
for Democracy and Technology (CDT), said
the ECJ's decision "shows the need to step up reforms of government surveillance
practices."

"The invalidation of the Safe [Harbor] agreement should
spur governments on both sides of the Atlantic to ratchet up long-overdue
reform efforts," Jeppesen said, adding that it was "undoubtedly a
major jolt for companies and will likely adversely impact their
operations."

Schrems specifically named Facebook in his complaint (pdf) to the
ECJ, charging that the company forwards information from its Ireland office,
where data on more than 83 percent of its users is stored, directly to the NSA
and other U.S. intelligence agencies.

Moreover, the court said, the U.S. did not provide adequate
recourse for European citizens seeking legal redress over violations of their
privacy rights, which "compromises the essence of the fundamental right to
effective judicial protection."

As for what real-world solutions may be on the horizon, Schrems
said the U.S. government would have to implement "severe changes" in
American law and "more than just an update to the current 'safe harbor'
system. Otherwise full compliance with EU fundamental rights and the judgment
will be very hard to achieve."

But, he said, "There are still a number of alternative
options to transfer data from the EU to the U.S. The judgement makes it clear
that now national data protection authorities can review data transfers to the
U.S. in each individual case—while the 'safe harbor' allowed for a blanket
allowance."

Despite some "alarmist
comments" about how the ruling may impact the way tech
companies do business, Schrems said he sees no reason why better data
protection and reviews of data transfers would cause "major
disruptions" for consumers or providers.

Nonetheless, notes
Electronic Frontier Foundation international director Danny O'Brien, the
"fundamental incompatibility of U.S. mass surveillance with European data
protection principles" could "certainly force the companies to
re-think and re-engineer how they manage the vast amount of data they
collect."

However, O'Brien added, it will take more than better
"reviews" of data transfers to protect Europeans from mass surveillance.

The "geographic siloing of data" by itself, he argues,
"is of little practical help against mass surveillance if each and every
country feels that ordinary customer data is a legitimate target for signals
intelligence. If governments continue to permit intelligence agencies to
indiscriminately scoop up data, then they will find a way to do that, wherever
that data may be kept. Keep your data in Ireland, and GCHQ may well target it,
and pass it onto the Americans. Keep your data in your own country, and you'll
find the NSA—or other European states, or even your own government— breaking
into those systems to extract it."

Other observers had even stronger words for the decision. The
World Wide Web Foundation called it
a "landmark judgment." The internet advocacy group's global campaign
manager Renata Avila said, "Today's Judgment puts people's fundamental
right to privacy before profit."

"Without effective safeguards for privacy, the Web as we
know it could wither and die," Avila said. "Following today's ruling,
new safeguards must now urgently be put in place that protect the Web as it
should be, a secure and private space where people can start businesses,
research confidential topics or just chat with friends without the fear of
being subjected to unwarranted government snooping."

This work is licensed under a Creative Commons Attribution-Share
Alike 3.0 License

"The master class
has always declared the wars; the subject class has always fought the battles.
The master class has had all to gain and nothing to lose, while the subject
class has had nothing to gain and everything to lose--especially their lives."
Eugene Victor Debs